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PROGRAMMING  AND  PROVING  CORRECTNESS  OF  THE  SCANNING 
ALGORITHM  WITH  BACKTRACK 

Juraj  Wiedermann 

Computer  Research  Center,  Bratislava 

Abstract*  The  systematic  construction  of  a  program  in  which  its  cor¬ 
rectness  is  demonstrated  in  parallel  to  the  development  of  the  program 
is  explained  in  the  example  of  the  scanning  algorithm  with  backtrack. 

The  total  correctness  of  the  program  is  proven  by  the  method  of  inter¬ 
mittent  assertions. 

Key  words*  Programming;  Program  correctness;  Systematic  construction 
of  programs;  Scanning  algorithm  with  backtrack. 

1 .  Introduction 

When  solving  combinatorial  problems  in  practice,  we  frequently 
encounter  a  situation  in  which  we  have  a  given  (finite)  set  A  of  candi¬ 
dates  to  resolve  the  problem  and  we  must  choose  from  this  set  those  can¬ 
didates  that  satisfy  the  specific  conditions  £  for  the  solution.  This 
means  that  the  solution  to  our  problem  is  the  set  B  =  |x€  A  J  p(x)}  . 

We  will  call  the  algorithms  that  solve  this  problem  the  scanning 
algorithms  since  to  find  all  the  solutions,  they  must  scan  the  entire 
set  of  candidates  (on  the  assumption  that  we  do  not  know  any  of  the  re¬ 
lationships  between  the  elements  in  set  A). 

Later  on,  we  will  look  at  a  simple  program  flow  chart  which  is  the 
solution  to  a  given  problem  and  we  will  prove  its  correctness. 

The  scanning  problem  as  we  have  defined  it  in  the  introduction  is 
quite  universal  in  many  situations.  Since  we  are  limited  here  to  a  spe¬ 
cial  problem  where  we  need  not  scan  the  set  of  candidates  by  the  exhaus¬ 
tive  technique  of  "one  after  the  other"  and  can  sometimes  "omit"  certain 
elements  because  we  know  that  they  cannot  be  the  solution  to  the  problem. 
We  will  call  these  algorithms  scanning  algorithms  with  backtrack  and 
using  them,  we  will  look  at  a  universal  programming  chart  and  prove  its 
total  correctness. 


We  will  prove  total  correctness  with  the  method  called  intermittent 
assertions  /67. 

Since  the  scanning  algorithm  with  backtrack  is  a  special  instance 
of  the  universal  scanning  algorithm,  we  will  see  that  this  function  is 
also  applicable  to  proving  the  correctness  of  these  algorithms;  proving 
the  correctness  of  the  scanning  algorithm  with  backtrack  is  a  special 
"refined"  proof  of  the  correctness  of  the  universal  scanning  algorithm. 

With  this,  we  also  hope  to  show  at  the  same  time  that  the  method 
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of  intermittent  assertions  is  applicable  for  the  so-called  systematic 
construction  of  programs  where  its  correctness  is  proven  in  parallel 
to  the  development  of  the  program. 

In  the  conclusion  we  will  look  at  the  problem  of  "27  cards"  as 
an  application  of  the  universal  scheme  of  the  scanning  algorithm  in  a 
concrete  example. 

2.  The  universal  scanning  algorithm 

The  following  program  which  solves  the  universal  scanning  problem 

is  simple  and  obvious:  program  SEARCH; 

bagin 


input  (//) ; 

start : 

fl»0; 

loop: 

whUa  dobagin 

x  H  •  H  :  =  H 

If  p(x)  than  B :  =* 

and; 

finish : 

output  ( B ) 

and 

The  instruction  "x  «—  H"  means  "select  an  arbitrary  element  from 
the  set  H  and  assign  the  variables  of  x  to  it" . 

At  the  beginning,  this  program  "opens"  the  set  of  candidates  into 
sets  (variables)  of  H  and  so  long  as  the  set  H  is  not  an  empty  set,  it 
selects  one  element  after  another  and  tests  whether  this  element  is  or 
is  not  the  solution;  if  not,  it  then  moves  on  to  the  set  B. 

The  following  theorem  explains  the  total  correctness  of  the  SEARCH 
program: 

THEOREM  1:  If  at  times  H  =  A  at  the  start  signal,  then  sometimes 
B  *  ix€  A|  p(xj\  at  the  finish  signal. 

We  will  note  that  this  theorem  does,  in  fact,  explain  the  total 
correctness  of  the  SEARCH  program;  that  is,  when  the  entry  condition  at 
the  beginning  of  the  program  is  such  that  the  program  ends  (the  theorem 
implies  that  the  solution  to  the  program  is  sometimes  achieved  at  the 
finish  signal  which  is  at  the  end  of  the  program)  and,  consequently,  the 
output  condition  is  fulfilled  at  the  close. 

In  order  for  us  to  be  able  to  use  the  method  of  intermittent  asser 
tions,  we  must  generally  look  through  each  cycle  of  the  program  at  the 
validity  of  any  lenmas  that  describe  the  effect  of  that  cycle  and  imply 
(generally  in  combination  with  other  lenmas)  the  validity  of  the  main 
theorem  which  explains  the  total  correctness  of  the  program. 

The  behavior  of  a  single  cycle  in  our  program  is  described  by  the 
following  lemma: 
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LEMMA  1.  If  when  H  =  H'  and  B  =  B^at  the  start,  then  when  H  =  0 
and  B  =  B  ufxc  H'|  p(x)J  at  the  start  loop. 

The  assumption  H  =  H'and  B  =  3/  are  lemmas  that  enable  us  to  look 
for  sequential  values  in  the  sets  H  and  B  at  the  conclusion  of  the  lemma 
where  the  values  of  H  and  B  can  change  in  the  interim. 

Stated  informally,  Lemma  1  asserts  that  the  cycle  with  the  start 
loop  is  sometimes  the  end  —  the  original  value  H'  of  the  set  H  sometimes 
changes  to  the  value  H  *  0  —  and  consequently,  the  set  |xaH'  |  p(x)] 
increases  towards  the  original  value  B'  in  the  set  B;  that  is,  all  the 
solutions  from  this  set  (H')  that  we  have  not  "disproven*. 

Lemma  1  is  proven  with  full  inductive  regard  for  the  value  of  the 

set  H: 

Let  H=  and  B  =  B'  at  times  in  the  start  loop; 

1.  Let  H#  =  0.  Then,  it  holds  true  that  H  =  0  and  3  =  37  U  ^x%  0|p  (x)} 

*  B'  at  the  start  loop  which  must  be  proven. 

2.  Vie  will  assume  that  the  lemma  is  correct  for  all  values  in  the  set 
?  C  H*. 

3.  Since  H  =  H;  ^  0  holds  after  one  cycle  pass  ,  there  is  also  an- 

x  €  H'  such  that  H  =  Hy  -  Jx)  and  B=B#U  ^y  *  H'  -  ^x)|p(y)J 

in  the  start  loop.  Therefore,  H*  -  ^  C  H/  and  we  can  use  the  in¬ 
ductive  assumption  so  that  when  H  =  0  and  3  =  B'  U  ^y  c  ^x}  )  p(y)"J  U 

U  H'-  H|p<y>}  =3>  u{y«  h'  \  p(y)J  in  the  start  loop  which 

proves  the  lemma. 

It  is  essentially  true  that  a  program  as  simple  as  the  SEARCH  pro¬ 
gram  might  never  be  proven  in  practice.  We  make  special  note  of  this 
in  order  to  show  in  a  simple  program  how  total  correctness  of  a  program 
is  proven  by  the  method  of  intermittent  assertions  as  since  later  on 
in  proving  the  correctness  of  the  scanning  algorithm  with  backtrack,  we 
can  use  some  of  the  concepts  and  experience  acquired  by  proving  the  cor¬ 
rectness  of  the  universal  scanning  algorithm. 


2-  The  scanning  algorithm  with  backtrack 

On  the  assumotion  that  all  elements  in  the  set  of  candidates  A 
are  explicitly  given  (we  are  not  aware  of  the  order  or  how  they  are 
generated),  the  preceding  program  for  universal  scanning  essentially 
has  no  effect  whatsoever.  Its  memory  and  temporal  make-up  are  unsuitable 
—  we  must  retain  the  entire  set  A  in  memcry  at  one  time  and  hold  on  to 
all  its  elements.  If  the  set  A  is  large  (as  would  be  the  case  in  com¬ 
binatorial  problems  )  the  entire  program  is  intolerably  inefficient. 
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It  is  often  the  case,  however,  that  the  set  A  is  not  explicitly 
given?  that  is,  that  not  all  its  elements  are  generated  one  after  the 
other  or  that  we  know  the  order  of  how  all  the  elements  are  generated. 

We  will  assume  a  set  of  A  =  x  A2  X  . .  .X  Ajj;  the  solution 
to  the  scanning  problem  then  is  all  the  n- tuples  (vectors)  of  X-(x1,x2, 

. ..xn)  6  A  so  that  p( ic)  is  valid. 

Then  we  are  able  to  program  the  scanning  algorithm  in  an  essential¬ 
ly  more  effect  manner  (at  least,  for  the  present,  from  the  memory  stand¬ 
point);  we  need  not  remember  the  entire  set  A  all  at  once  but  onlv  the 
individual  components  A1#  A2»...An  of  the  Cartesian  product  ana  that  all  ele¬ 
ments  of  the  set  A  are  generated  sequentially  from  them.  It  is  simplest 
to  program  how  n  is  tested  against  itself  in  insert  cycles  where  a  single 
component  of  the  vector  i  is  generated  in  each  cycle  as  well  as  during 
the  innermost  cycle  where  the  entire  vector  i.  is  generated  which  is  the 
solutions 


start : 


program  SIMPLEBACKTRACK ; 

bogln 

input (X, ....  X); 

B:«0; 

whUo  H,*d  do  bogln 

x,  «-//,;  //, :»//,-  {x.} ; 

whUo  Hi  ^  0  do  bogln 

Xi  «-  Hi  ;  Hii-Ht-  {xi} ; 


whUo  tf.*0  do  bogln 

xm 

H  p(xt,  Xi, ...  x„) 

thon  . X.) 

fl 

ond 

ond 

ond; 

finish:  output  (B) 

ond; 

Thus  when  Xj  *  A^ ,  X2  *  A2 . Xn  *  ^  at  the  start  signal,  then 

it  can  be  proven  that  it  will  be  true  that  B  =  fx4  aJ  p(l)j  at  the 
finish  signal. 

The  correctness  of  this  progam  cannot  be  proven,  however,  since 
this  program  is  still  unattractive.  Aside  from  the  fact  that  we  must 
know  the  concrete  value  of  &  in  advance  in  order  to  make  up  a  program 
at  all,  it  is  also  inefficient  from  the  time  standpoint  as  is  the  pre¬ 
ceding  SEARCH  program  for  universal  scanning. 

The  reason  for  this  time  inefficiency  is  that  in  the  i-th  cycle, 
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Hi  £  n  generates  further  components  xi  of  the  vector  x  without  con¬ 
vincing  us  that  the  currently  discovered  components  x^,...x^_^  can  he 
supplemented  in  any  solution  at  all. 

Let  us  name  the  predicates  p(x^,  ...  x^)  such  that  p(x^,...xn) 

^  p(x^,  ...  xj,)  where  i  =  l,...,n-l  and  satisfaction  of  the  predicate 
p(xi,  ...  xi)  is  a  necessary  condition  for  the  predicate  p(5)  to  he 
fulfilled  at  all. 

What  we  arrange  in  this  sense  is  the  preceding  program  and  we 
"roll*'  the  cycle  hack  to  itself  and  we  get  the  following  programs 

program  BACKTRACK; 

bogfn 

input  (Xi, ...  X„); 

start;  B:*0;  /:  =  !; 

LI;  whUo  i  «  1  do  begin 

L2:  whtio  H2*Q  do  bogin 

x,  -  H,\  «:=»«-{ *}; 

H  p(xx, ...  xt) 
than  if  i  =  n 

than  B:  »  B\J  {*A\ 
oioo  H,:  =  X 

ft 

n 

and; 

/:»»- 1 

and; 

finish:  output  (B) 

ond 

From  this  program,  we  can  see  that  after  generating  one  component 
of  xi,  we  can  predict  all  that  fullfill  the  necessary  condition  of  the 
solution  —  the  predicate  p(xi,  ...  Xi)  and  only  when  it  has  been  ful¬ 
filled  (and  not  just  another  solution)  do  we  "plunge"  into  a  deeper  cycle; 
otherwise,  it  is  apparent  that  no  choice  of  Xi^,...  xn  can  fulfill  the 
condition  p(x)  —  this  means  that  all  n-th  which  begin  x^,  ...  xi  can  he 
omitted  from  the  scanning  process  —  which  we  get  so  that  we  proceed 
with  selection  of  another  xi  ^  H^. 

If  we  exhaust  all  the  elements  at  the  i-th  level,  then  we  select 
again  at  the  i-1  level  and  continue  on  through  the  generation  of  the 
components  xi-i  at  this  level.  From  there,  we  come  hack  to  the  algorithm 
—  the  scanning  algorithm  with  backtrack. 

We  prove  the  total  correctness  of  the  BACKTRACK  program  as  we  prove 
the  validity  of  the  following  theorem; 

THEOREM  2;  If  X  *  A  at  the  start  signal,  then  B  -fit  «a|  p(Jc)j 
at  the  finish  signal. 


We  can  prove  Theorem  2  by  means  of  the  following  lemma: 

LEKMA  2.  When  =  H^,  3  =  B/ and  1  6  i  =  i*  £  n  at  the  L 2  signal 

then  Hi  =  0,  B  =  B'U  (ye  (xjj  X  ...  X  (xi.j  X  X  X in  X  ...  X  Xn  | 

p  <»}  and  i  =  i  at  the  L2  loop. 

When  the  assumption  X  =  A  of  Theorem  2  is  fulfilled  at  the  start 
signal,  we  also  get  Hi  =  Ai ,  B  =  0  and  i  =  1  at  the  L2  signal  so  that 
according  to  Lemma  2,  when  Hi  =  0,  B  =  iyeMp  (y)j  and  i  =  1  at 
the  L2  signal.  Since  Hi  =  0,  we  can  drop  the  cycle  with  the  L2  loop, 
the  value  of  i  will  drop  by  one  and  we  can  proceed  to  the  LI  signal 
with  a  value  of  i  3  0  and,  from  there,  on  to  the  finish  signal  at  which 
the  output  condition  of  3  =  jy  <£.  A  |  p(y)j  which  is  the  assertion  of 
Theorem  2  remains  valid. 

We  can  see  here  the  similarity  between  Theorem  1,  Lemma  1  and 
Theorem  2  and  Lemma  2.  Theorem  2  and  Lemma  2  merely  reflect  the  "more 
refined"  structure  of  the  set  A  =  Aj_  X ...X  An. 

We  can  offer  a  proof  of  Lemma  2  with  an  inductive  view  of  i'  . 

1.  When  i  =  n,  let  Hn  =  Hn  and  B  =  at  the  L2  loop.  Looking  in¬ 

ductively  at  the  magnitude  of  the  set  Hn,  we  can  show  the  validity 
of  the  lemma  in  the  following  case: 

1.1  If  Hn  =  0,  the  fact  that  the  assertion  of  the  lemma  is  fulfilled 
at  the  L2  signal  is  trivial. 

1.2.  'We  will  assume  that  the  lemma  is  valid  for  all  subsets  ?n  C 

1.3.  If  Hn  3  Hn  0  0,  then  it  is  true  after  one  cycle  pass  at  the  n-th 
level  that: 

there  exists  an  xn  a  Hn  such  that  Hn  =  H^  -  |xnj ,  B  =  3' 

U  ixi]*  •  •  •  *fcn}j  P(y)  =  B*.  Since  Hn  -  {xnjc  H„,  we  can 
use  the  inductive  assumption  1.2  so  that  when  Hn  =  0  and  B  = 
B'l^yefxiJx  ...*  {xn-ijx  (H„  -  (xn}  )|p  (y)}  = 

B'U(y  fcfxijx  ...  x[xn-i}><  Hn;|  p(y)j  and  i  =  n  at  the  L2  signal; 
Q.E.D. 

2.  We  will  assume  that  the  lemma  holds  true  for  all  j,  l£  i^  j  £  n. 

3.  Looking  inductively  at  the  magnitude  of  the  set  h£,  we  can  show  the 
validity  of  the  lemma  for  when  i  *  i#  also. 

Therefore,  let  Hi  =  H^,  B  *  3*  and  1  £  i  -  i'<  n  at  the  L2  signal. 

3.1.  If  Hi  =  0,  the  lemma  is,  of  course,  fulfilled. 

3.2.  ’We  will  assume  that  the  lemma  holds  true  for  all  subsets  H^ 

3.3.  When  Hi  *  Hi7  /  0 ,  then  after  the  first  two  instructions  in  the 

cycle  it  holds  true  that  there  exists  an  xi«  Hi  so  that  Hi  =  Hi  -  [xJL 


We  can  further  break  it  down  into  two  cases: 

a)  if  it  is  not  true  that  p(x^ , . . ,x^) ,  we  can  go  back  to  the  L2 

signal  with  a  value  of  i  3  i'  ,  H  =  -  [xjj  and  3  =  B’U  [y€ 

XfxjJ  X  ...  Xn|  ?($)}  =  3*  =  B*UC.  From  the  assumption  that 

p(x^,...Xi)  is  not  true,  it  follows  that  no  n-tuples  beginning  at  x^  ...  ,  x., 
can  be  the  solution;  this  means  that  the  set  C  =  0  and  that  we  can  use 
it  without  everything  to  add  to  the  set  B' .  Since  -  (xii  C  H^,  we 
can  use  the  inductive  assumption  3.2  so  that  Hj_  =  0  and  3=B-UU&€  CxiJ 
X  ...X  (xi-JX  (Hi  -  fxj  )XXin  X  ...  Xn|  p(J)J  at  the  L2  signal  and 
also  i  s  i*  at  the  L2  signal. 

We  can  get  a  confirmation  of  the  lemma  by  applying  the  preceding 
expression  to  the  set  B. 

b)  If  p(xj_,...xO  holds  true  and  since  i<  n,  the  value  of  i  in¬ 
creases  by  one  for  a  value  of  j  =  i  +  1,  we  also  reach  the  L2  signal 

with  values  of  Hj  =  X j ,  B  =  3'  and  1<  j  8  i  f  U  n.  Therefore, 

1  ^  i  ^  j  ^  n  according  to  inductive  assumption  2  when  Hj  =0,  3  =3 

Ufa*  {xi]  X  ...  X  (xj-ijxXj  x  ...  X  Xn  |  p(y)}  and  j  *  i  +  1  at  L2. 

Since  Hj  =  0  at  L2,  the  value  of  j  is  reduced  to  the  original  value  i 
and  since  i^  1,  we  move  from  the  LI  signal  to  the  L2  signal  with  /the 
values7  i  =  i  ,  Hi  =  H^  -  [x^j  and  B  =  B*.  Since  H^  -  JxA  C  H^,  we 
get  a  confirmation  of  the  lemma  according  to  the  inductive  assumption 
3.2  similar  to  that  in  the  preceding  situation  a). 

By  proving  Lemma  2,  we  have  completed  the  proof  of  the  total  cor¬ 
rectness  of  the  BACKTRACK  program. 

On  its  own  level,  this  program  represents  an  effective  flow  plan 
for  the  scanning  algorithm  with  backtrack.  This  plan  also  provides  for 
a  relatively  direct  "approach"  to  solving  a  concrete  problem.  Therefore, 
it  is  necessary  only  to  find  (and  program)  the  correct  interpretation 
of  the  set  A  and  the  predicate  p.  The  effectiveness  of  the  resultant 
program  is  critically  dependent  on  the  effectiveness  of  running  a  test 
of  if  p(xi,...xi)  then  .... 

It  is  apparanent  that  the  sooner  we  recognize  that  some  partial 
solution  of  X},...x^  cannot  be  expanded  (completed)  to  a  full  solution, 
the  more  elements  of  the  set  A  we  can  eliminate  all  at  once  from  the 
scanning  process  and  the  faster  we  will  achieve  the  goal. 

From  the  nature  of  the  combinatorial  problem  to  be  solved,  we  can 
sometimes  see  that  a  simple  transformation  from  one  solution  to  the 
problem  can  result  in  some  other  solutions  (the  solutions  are  isomorphous ) . 
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For  this  reason,  it  is  advantageous  not  to  generate  these  other  iso¬ 
morphic  solutions  and  to  "skip  over"  them.  The  test  for  this  can  also 
he  hidden  in  the  predicate  p.  Further  detailing  of  this  problem  as 
well  as  the  questions  of  effective  implementation  of  scanning  algorithms 
with  backtrack  is  the  subject  of  reference  /l7. 

4.  The  problem  of  27  cards 

The  problem  of  27  cards  is  as  follows  /27s  we  have  a  playing 
board  with  27  fields  and  3  sets  of  cards  with  values  of  from  1  through  9. 

Our  job  is  to  find  all  the  possible  positions  of  all  the  cards  on  the 

game  board  so  that  between  every  two  adjacent  fields  on  the  game  board 

on  which  there  are  cards  of  some  value  k,  there  are  cards  to  the  right 
of  the  field  with  some  other  value. 

The  exercise  may  obviously  be  generalized  to  a  problem  of  3n  cards. 

Let  xi  stand  for  the  position  of  the  first  card  of  three  with  values 
of  i,  i  =  1  ...  n  on  the  game  board.  From  the  statement  of  the  problem 
it  follows  that  the  position  of  the  first  card  also  determines  the  posi¬ 
tion  of  the  other  two  cards  —  they  must  be  in  positions  Xj,  *  i  *  1  and 
Xi  t  2i  +  2  and  also  that  \4  xi  4  3n  -  2i  -  2  as  otherwise,  some  card 
would  fall  outside  the  playing  area.  The  problem  of  our  sets  then 
is  the  playing  intervals  ^.,  3n-2i-2^  where  i  =  1,  ...n. 

The  predicate  p(xi#,..xi)  is  now  interpreted  as  correct  so  long  as 
it  places  cards  with  a  value  of  k  in  the  positions  x^,  x^  *  k  ♦  1  and 
xfc  +  2k  +  2  given  that  k  =  l,...i;  otherwise  it  is  incorrect.  The  solu¬ 
tion  to  our  problem  will  be  all  n's  of  Xi,...xn  such  that  p(xlt...xn) 
holds  true. 

The  partially  stated  BACKTRACK  program  plan  which  has  been  adapted 
to  solve  the  problem  of  27  cards  now  looks  as  follows: 

program  CARDS; 
ft#0ftiinput  (n); 

x, :  =3/i  -4;  /:«  I ; 
whUo  i  *  i  do  bogtn 

whUo  x,  >  o  do  bogln 

X..»x,  -  \ ; 

H  p(x,  ♦  1,  ...  x,  +  !) 

than  It  i~n 

than  print  (x,, ...  x.) 

OlOO  /:»;♦  I;  x,:»3/i-2i-2* 
fl 

n 

and: 

-  I 


and 
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We  can  see  that  we  can  do  without  the  sets  since  we  are  assured 
by  the  sequential  reduction  in  the  value  of  xi  (which  has  been  initialized 
to  the  value  of  3n-2i-2  prior  to  each  plunge  into  the  cycle)  by  one  that 
we  will  cover  all  the  possible  values  that  x^  can  acquire. 

Thus,  we  are  not  "collecting'*  all  the  solutions  in  set  3  so  that 
we  print  them  directly  (the  representative  area  —  "listing"  —  plays 
the  part  of  set  B). 

With  the  full  "extension"  of  the  CARDS  program  to  some  concrete 
programing  language  (such  as  Pascal)  we  can  also  program  the  predicate 
p.  We  can  do  this  as  a  3oolean  function,  for  example  which  has  a  game 
field  and  memory  coded  into  itself  with  an  occupied  field.  ’We  will  re¬ 
call  that  the  efficiency  of  the  entire  program  to  a  great  extent  depends 
directly  on  the  effective  implementation  of  this  predicate  since  the  test 
of  its  accuracy  is  determined  in  each  cycle.  This  problem  is  not  solely 
concerned  with  the  basic  function  of  the  scanning  algorithm  with  backtrack 
and  for  this  reason,  we  will  not  deal  with  it  further. 

5.  Conclusion 

In  the  foregoing  text,  we  have  shown  how  to  prove  the  total  correct¬ 
ness  of  programs  by  the  intermittent  assertions  technique.  While  using 
this  method,  total  correctness  of  a  program  is  expressed  in  the  form  of 
a  theorem: 

THEOREM:  When  the  opening  condition  is  fulfilled  at  the  point  of 
entry  into  the  program,  the  solution  is  achieved  at  the  end  of  the  pro¬ 
gram  and  at  that  point,  the  output  condition  is  fulfilled. 

This  theorem  states  that  the  program  is  partially  correct  and,  over 
and  above  this,  that  it  ends. 

In  order  to  prove  the  validity  of  this  theorem  for  our  program,  we 
must  find  an  intermittent  assertion  at  a  specified  point  in  the  program 
which  asserts  something  about  the  chosen  variables  in  the  program  that 
also  holds  true  when  the  solution  to  the  problem  passes  through.  The 
connection  between  these  assertions  can  be  described  by  means  of  lemmas 
from  which  proof  of  the  validity  of  the  main  theorem  must  come. 

In  general,  we  will  need  one  lemma  which  describes  the  intended 
behavior  of  the  cycle  for  each  cycle  in  the  program.  This  lemma  general¬ 
ly  asserts  that  when  the  cycle  ends,  it  adds  what  still  remains  to  be 
completed  to  what  has  currently  been  executed  in  the  cycle. 

The  proof  of  these  lemmas  is  generally  worked  out  through  complete 
induction  with  the  elements  (variables)  of  a  certain  set  which  does  not 
contain  any  indeterminate  non-declining  series  (the  so-called  "well- 
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founded  set”  —  see  /57  or  ) . 

The  only,  and  therefore  probably  the  greatest  problem  remains  of 
how  to  formulate  the  assertion  of  the  theorem  so  that  it  expresses  the 
total  correctness  of  the  program  and  how  to  formulate  the  assertion  of 
the  lemma  so  that  it  is  possible  to  prove  the  theorem  from  then  and  also 
so  that  we  can  prove  the  lemma  independently. 

This  validates  the  "golden  rule  of  proving  programs",  that  is,  the 
better  we  think  out  the  program,  the  easier  it  is  for  us  to  prove  its 
correctness.  When  we  recognize  the  fact  that  the  more  intelligible  a 
program  is,  the  simpler  and  shorter  it  is,  we  come  to  the  next  instruc¬ 
tion  on  how  to  proceed  with  proving  programs: 

We  start  with  the  suggestion  of  a  program  that  solves  a  given  prob¬ 
lem  on  the  level  of  abstraction  that  we  understand  well  and  then,  we  can 
move  easily  to  formulate  the  assertion  of  the  theorem  and  the  secondary  lenra 
and  to  prove  them.  In  a  further  step,  we  drop  to  a  lower  level  of  ab¬ 
straction  so  that  we  make  certain  instructions  in  the  program  more  spe¬ 
cific  and  we  can  refine  its  structure.  Then  we  come  to  the  program 
which  differs  only  "slightly"  from  the  original  and  therefore,  the  proof 
of  its  correctness  would  have  a  resemblance  "in  its  coarser  features" 
to  the  proof  of  the  preceding  program.  This  means  that  the  "skeleton" 
of  the  new  proof  is  already  made  up  and  the  proof  requires  only  the  "re¬ 
finement"  of  certain  assertions  and  arguments  so  that  it  is  appropriate 
to  the  new  situation.  Thus,  we  proceed  along  with  the  gradual  refine¬ 
ment  of  the  program  and  proving  its  correctness  and  we  do  not  work 
towards  a  meaningful  program  which  will  solve  a  given  problem  and  has 
already  been  formulated  in  a  specific  and  meaningful  programming  language. 

It  seems  that  in  practice  it  is  sufficient  to  "attain"  proof  of  the 
program's  correctness  when  the  program  is  at  the  "penultimate"  level  of 
abstraction;  that  is,  it  is  not  necessary  to  come  up  with  a  proof  of 
correctness  for  the  final  program  in  a  meaningful  languange  except  when 
the  program  is  at  the  highest  abstract  level  which,  to  some  extent, 
represents  the  most  universal  plan  in  the  solution  to  our  problem  — 
and  the  one  from  which  we  can  achieve  our  meaningful  program  more  or 
less  directly.  During  the  final  phase  of  firming  up  the  program,  only 
the  final  simple  functions  which  add  to  the  program  additional  secondary 
variables  but  which  do  not  alter  the  control  of  the  program  are  made 
more  specific.  At  the  programming  level,  the  experienced  programmer 
assumes  this  function  and  substantive  errors  introduced  into  the  program 
during  this  phase  are  found  either  by  a  good  collator  (differences 
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in  types,  parameters,  indexes  that  "run  past”  the  acceptable  dimensions, 
and  the  like)  or  they  are  quickly  removed  by  the  programmer  during  the 
debugging  process.  The  descriptive  complexity  of  proof  at  this  final 
level  would  increase  considerably  and  be  greatly  augmented  by  the  proba¬ 
bility  of  introducing  error  into  the  proof  as  well. 

This  reality  supports  (in  addition  to  uur  own  experience)  the  empiri¬ 
cal  reconnaisance  of  programs  /3 7  where  it  has  been  shown  that,  in  a  num¬ 
ber  of  cases,  programs  have  been  incorrect  in  spite  of  the  fact  that  their 
correctness  has  been  proven.  It  was  also  shown,  however,  that  error  was 
introduced  into  the  program  right  at  the  final  stage  of  making  the  program 
concrete  and  that  the  proof  "did  not  find"  it  but  rather  that  the  error 
per  se  was  removed  during  the  first  failure  of  the  program. 

From  the  above  considerations,  it  is  particularly  apparent  that 
there  is  no  need  to  prove  programs  in  standard  practice  whose  statement 
at  a  "sufficiently”  high  degree  of  abstraction  is  at  the  same  time  a 
concrete  program  in  a  meaningful  language  as  well  —  the  so-called  "baby” 
programs  (looking  for  the  maximum  element  in  a  field,  testing  the  equality 
of  two  fields,  and  the  like,  for  example). 

It  is  apparent  that  the  method  of  constructing  proof  of  correctness 
in  parallel  to  the  structure  of  a  program  is  useful  in  most  of  the  known 
methods  for  proving  the  correctness  of  programs.  It  also  indicates  /67 
that  proving  the  total  correctness  of  programs  is,  in  many  cases,  done 
most  simply  by  the  technique  of  intermittent  assertions  rather  than  by 
means  of  the  M traditional"  methods  (Floyd's  method  of  invariants  and 
derived  techniques  —  /4,  5 7). 

Our  proof  of  the  correctness  of  the  BACKTRACK  program  can  serve  as 
an  example  of  this  if  we  compare  it  with  the  proof  of  the  similar  but 
recursive  program  in  /?7  which  was  shown  by  the  invariants  technique. 

In  16J  it  is  shown  again  and  again  that  proof  by  the  technique  of 
intermittent  assertions  can  never  be  as  "cumbersone"  as  proof  by  means 
of  invariants  since  the  invariants  technique  is  only  a  special  instance 
of  the  intermittent  assertions  technique. 
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PROGRAMMING  AND  PROVING  CORRECTNESS  OF  THE  BACKTRACK  ALGORITHM 

Solving  i he  combinatorial  problems  in  practice  we  often  find  ourselves  in  a  situation  where  we  have 
.i  certain  (final)  set  of  candidates  for  the  problem  solution  and  we  have  In  choose  from  this  set  those 
candidates  that  fulfil  a  certain  condition  of  the  solution  Algorithms  solving  this  problem  are  called  the 
Manning  algorithms,  because  for  finding  ail  the  solutions  they  have  to  scan  the  whole  set  of  candidates. 
Ihc  e sample  of  the  efficient  scanning  algorithm  —  backtrack  algorithm  —  shows  the  systematic 
construction  of  program  where,  together  with  the  development  of  the  program,  us  correctness  is  proved. 
The  total  correctness  of  the  program  is  proved  by  the  method  of  intermittent  assertions. 


